Dan
Reputation: 1244
How can I secure use of fopen on a CSV file?
I have a PHP script which allows a user to upload a CSV, and then make some changes via an API.
I use fopen to open and access the file after it's been uploaded. I check for size, name, presence of known bad extensions etc using the $_FILES array on upload.
The data is simply a grid of ID's and corresponding action codes.
It's a closed group of users, and nothing is being include)()'ed or require()'d from this input but I am still concerned that by manipulating the upload something bad can happen.
if (($han = fopen($fileloc, "r")) !== false) {
while (($data = fgetcsv($han, 50, ",")) !== false) {
array_push($stack, $data); //
}
fclose($han);
}
Upvotes: 3
Views: 558
Answers (1)
Goran
Reputation: 675
The only thing I could see is when echoing back HTML (echo or print) use: htmlspecialchars just to be on the safe side
Hope that helps! ^_^
Upvotes: 0
Related Questions
- Encrypt a .csv file with a password or token and ask for that password everytime user wants to read in the file
- How to open a CSV-fil with PHP and fopen
- Using '' with open, reader '' functions
- Many clients trying to write in a CSV file
- PHP csv functions, Microsoft safe?
- How to generate password protected csv file by using php
- Cant use php fopen() function in wordpress functions.php
- How to generically open a file in php
- fopen() / fputcsv( ) : error
- How do I restrict download access to a CSV file created using PHP?